Nmap Development mailing list archives
Re: Q4'06 Service Submissions are done!
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sun, 15 Apr 2007 20:43:42 +0000
On Sun, 15 Apr 2007 13:15:38 -0700 doug () hcsw org wrote:
Regarding the fake SSH on FTP banner, did you include a match?No, I didn't include a match line on that one. I wasn't %100 sure how to handle it. Should it be a very generic "220 SSH-.*" type match or should we match SSH versions more specifically? Also, how would you suggest describing this service?
"220 SSH-.*" is probably to generic for comfort. Every time we've seen someone set a FTP banner like this they've tried to make it look like some version of OpenSSH. I think something slightly less generic like this would do: "^220-?\s+SSH-[\d.]+-([A-Z]+)" Figuring out how to describe it is the harder part. It probably deserves the **BACKDOOR** label with a note about what it is. Perhaps something like this: match ftp m|^220-?\s+SSH-[\d.]+-([A-Z]+)| p/FTP masquerading as $1/ i/**BACKDOOR**/ Brandon _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Q4'06 Service Submissions are done! doug (Apr 15)
- Re: Q4'06 Service Submissions are done! Brandon Enright (Apr 15)
- Re: Q4'06 Service Submissions are done! doug (Apr 15)
- Re: Q4'06 Service Submissions are done! Brandon Enright (Apr 15)
- Re: Q4'06 Service Submissions are done! doug (Apr 15)
- Re: Q4'06 Service Submissions are done! doug (Apr 15)
- Re: Q4'06 Service Submissions are done! Brandon Enright (Apr 15)
- Re: Q4'06 Service Submissions are done! Fyodor (Apr 15)